Security Bulletin: Vulnerabilities in Node.js modules affect IBM Voice Gateway

Summary

Security Vulnerabilities in Node.js modules affect IBM Voice Gateway. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-36665
**DESCRIPTION:**protobuf.js could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259737 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-25883
**DESCRIPTION:**Node.js semver package is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the new Range function. By providing specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

IBM strongly suggests upgrading to the following IBM Voice Gateway 1.0.8.x images:

ibmcom/voice-gateway-mr:1.0.8.11
ibmcom/voice-gateway-tts-adapter:1.0.8.7
ibmcom/voice-gateway-stt-adapter:1.0.8.7

The above images can be found at the below links:
<https://hub.docker.com/r/ibmcom/voice-gateway-mr/tags&gt;
<https://hub.docker.com/r/ibmcom/voice-gateway-tts-adapter/tags&gt;
<https://hub.docker.com/r/ibmcom/voice-gateway-stt-adapter/tags&gt;

Workarounds and Mitigations

None